Code: Select all
// returns TRUE if the iFlashImageMemOffset is wrapped or if iFlashImageParagraph
// is wrapped. Else returns 0;
//
// the function will adjust the paragraph pointer if the data read reached
// the end of the memory segment (hit the 64k boundary at 0xFFFF)
unsigned int OSMO_DetectFlashImageParagraphWrap(unsigned int dataSize, unsigned int paragraphIncrement)
{
OSMO_IsMSBofASet(); // this is useless code
unsigned int original_iFlashImageMemOffset;
unsigned int original_iFlashImageParagraph;
if ((unsigned long)(iFlashImageMemOffset + dataSize) > 0xFFFF)
iFlashImageParagraph = iFlashImageParagraph + paragraphIncrement + 1;
else
iFlashImageParagraph = iFlashImageParagraph + paragraphIncrement;
iFlashImageMemOffset = iFlashImageMemOffset + dataSize;
if (iFlashImageParagraph < original_iFlashImageParagraph) return 1;
if (iFlashImageParagraph != original_iFlashImageParagraph ) return 0;
if (iFlashImageMemOffset < original_iFlashImageMemOffset) return 1;
return 0;
}
Code: Select all
#define MSB(x) (unsigned char)((x >> 8) & 0x00FF)
void OSMO_SendCmd07(unsigned int seqNum)
{
/* translations:
dataLength = varA
seqNum = var0
indexer = var2
*/
unsigned int dataLength, var8, var6, var4, indexer;
// determine the packet length based on subCmd type
dataLength = OSMO_DetermineCmd07PktLength(seqNum)
iPacketLength = dataLength + 2; // add space for additional fields
arrayPacketDataBuffer[0] = iPacketLength;
arrayPacketDataBuffer[1] = OSMO_Cmd07DetermineSubcommand(seqNum);
iFlashImageMemOffset = OSMO_CalcFlashImageMemOffset(seqNum);
iFlashImageParagraph = OSMO_CalcFlashImageParagraph(seqNum);
indexer = 0;
while (indexer < (dataLength/2) - 1)
{
value = OSMO_GetFirmwareWordFromFlash(iFlashImageMemOffset,
iFlashImageParagraph,
iCmd07FlashAddrAdjustIndex);
// store value into packetBuffer... offset of +2 is used to skip over
// the subCmd and sequence number
pktbuffer[LSB((indexer * 2) + 2)] = MSB(value)
pktbuffer[LSB((indexer * 2) + 3)] = LSB(value)
OSMO_DetectFlashImageParagraphWrap(2, 0);
indexer ++;
}
OSMO_SendCmdPacketToRoomba(0x07);
}
Code: Select all
1) figure out how much data will be put into the data field of the packet
2) populate the data field with the sequence number
3) populate the data field with the subcommand number
4) populate the data field with the image data
a) determine location of image data for the particular byte
b) read the word from the flash space
c) populate the data field with the word (MSB first)
d) increment the memory offset for the next value
e) determine if paragraph pointer needs to be incremented
f) loop until the packet length has been fulfilled
What this also means is that we might have an encypted package. Which sux!!! I don't see any ASCII strings here and I know I should. Sigh.
I'm still tearing this program apart so I'm hoping to find more secrets that I can use to decode the package. I doubt it, but the flash reader subroutine might have some insight that I missed.
I do have some ideas. If i can figure out how to blindly inject code into the roomba, i can clear the security bit which will allow me to download the flash. This does break one of my primary objectives which was to do all of this without soldering, but eh.. if i can do it once and download the source, i'll never need to do it again. Bad for me, good for you.
any thoughts? anyone still reading this?